Skip to main content

How ISO 27001 is implemented — and what your company does first.

By Harry Sidhu — ISO 27001 Lead Implementer, NV1-cleared · Updated July 2026

ISO/IEC 27001:2022 is a management system, not a software install — and roughly 70% of a smooth implementation is decided before day one. This is the senior-implementer walkthrough of how an ISMS is actually built inside your Microsoft 365 tenant, plus the readiness, roles and decisions your organisation has to own.

ISO 27001 implementation is the process of building an information security management system (ISMS) that meets Clauses 4-10 of ISO/IEC 27001:2022 and the controls you select from its 93 Annex A controls, then proving it to a JAS-ANZ-accredited certification body. You do not implement all 93 controls — you select what your risk assessment justifies, and the Statement of Applicability accounts for every one.

What you implement: the 93 Annex A controls

ISO 27001:2022 replaced the old 114-control / 14-domain structure with 93 controls across four themes: Organizational (A.5) has 37 controls, People (A.6) has 8, Physical (A.7) has 14, and Technological (A.8) has 34. Eleven controls are new in 2022, and Amendment 1:2024 added climate-change consideration to Clauses 4.1 and 4.2.

Before you start: what your organisation must prepare

Before day one you need genuine top-management commitment (Clause 5.1), a decided ISMS scope (Clause 4.3), a first-pass asset and information inventory (supports A.5.9), a named internal ISMS owner (Clause 5.3), budget and realistic staff time (Clause 7.1), a defined risk appetite and criteria (Clause 6.1.2), staff availability for interviews and awareness training (Clauses 7.2 and 7.3), and a reasonably clean Microsoft 365 tenant.

The ISO 27001 implementation process, step by step

Step 1 — Secure leadership & mandate (Clause 5)

A named executive sponsor, budget, and assigned roles. Everything downstream stalls without this.

Step 2 — Set context & scope (Clause 4)

Internal and external issues, interested parties, legal and (new in 2022) climate relevance — then draw the ISMS boundary.

Step 3 — Policy & objectives (Clauses 5.2 and 6.2)

A right-sized information security policy and measurable objectives that management actually signs off.

Step 4 — Define the risk method (Clause 6.1.2)

Agree how risks are scored and what is acceptable. 2022 allows any consistent method — no forced asset-based approach.

Step 5 — Run the risk assessment (Clauses 6.1.2 and 8.2)

Identify risks and risk owners, analyse likelihood and impact, and evaluate against your criteria.

Step 6 — Treat risk and build the SoA (Clause 6.1.3)

Select the controls you need, cross-check against the 93 in Annex A, and produce the Statement of Applicability.

Step 7 — Implement controls & documents (Clauses 7 and 8)

Configure the controls in your Microsoft 365 tenant, write the documents your risks justify, and train staff.

Step 8 — Operate & gather evidence (Clause 8)

The ISMS has to run — auditors expect roughly two to three months of live records before certification.

Step 9 — Internal audit & management review (Clauses 9.2 and 9.3)

An independent internal audit plus a management review, with findings closed before the auditor arrives.

Step 10 — Stage 1 & Stage 2 audit (Certification)

A JAS-ANZ-accredited body reviews readiness then implementation. The certificate is valid three years, with surveillance in years one and two.

Who does what

ISO 27001 assigns responsibilities under Clause 5.3: top management sponsors the ISMS and fronts the auditor; an internal ISMS owner runs it day-to-day and through surveillance audits; IT and engineering implement the technological controls in Microsoft 365; department heads own their risks; and all staff follow the policies and complete awareness training.

What most guides get wrong

Many pages still describe the retired 2013 standard. Corrections: it is 93 controls in four themes, not 114 in 14 domains; ISO 27001:2013 certificates have been invalid since the 31 October 2025 transition deadline; you select controls by risk rather than implementing all 93; and Amendment 1:2024 made climate change an auditable consideration.

Frequently asked questions

How long does ISO 27001 implementation take?

For a typical Australian SMB of 10-50 staff on Microsoft 365, audit-ready in about 12 weeks from a discovery workshop, then Stage 1 and Stage 2 certification audits are booked with an accredited body. Most of a smooth timeline is decided before day one by how ready the organisation is.

How many controls are in ISO 27001 (2022)?

Exactly 93, grouped into four themes: Organizational (37), People (8), Physical (14) and Technological (34). The older "114 controls across 14 domains" is the retired 2013 version.

Do we have to implement all 93 controls?

No. Controls are selected by risk. The Statement of Applicability lists all 93 and records which are included, which are excluded, and why.

What does our organisation need to prepare before starting?

Genuine leadership commitment, a decided scope, a first-pass asset inventory, a named internal ISMS owner, budget and time, a defined risk appetite, staff availability, and a reasonably clean Microsoft 365 tenant.

Is ISO 27001:2013 still valid in 2026?

No. The 2013 to 2022 transition deadline was 31 October 2025. As of 2026, certification is only against ISO 27001:2022, including Amendment 1:2024.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable requirements standard (Clauses 4-10 plus the Annex A control titles). ISO 27002 is the non-certifiable guidance that explains how to implement each control. You certify to 27001, not 27002.

Do we need to be on Microsoft 365?

It is the fastest path — Aegentra implements the technological controls directly in your tenant and collects evidence with the Aeges risk engine. Other environments can be scoped during discovery.

Ready to have it done for you? Aegentra senior engineers implement every applicable Annex A control inside your Microsoft 365 tenant and get you audit-ready in 12 weeks — see the ISO 27001 implementation service, or read the ISO 27001 certification guide for costs and timelines.